0

I am removing malware from my grandpa's Windows computer using the system internals suite. I suspect he has a Trojan which has been making remote connections and downloading a TON of viruses every day.

There are a lot of processes going on and a few of them are pretty suspicious. However, nearly all of them are Windows verified and just barley legitimate enough for me to want to check the Dll's. Unfortunately, I am very new to the malware detection game and I have no idea what each one means or where within Windows it would usually be expected.

EDIT: What I am looking for is a comprehensive (or at least semi comprehensive) guide of system dlls with descriptions of what each one does. I have not found anything on the web thus far, so if anyone has a link to a resource it is much appreciated.

  • Knowing whether a dll is legitimate will not tell you whether it is being used maliciously. When you analyze malware, you begin by statically analyzing the executable. In Windows, part of that is doing PE file analysis in order to understand which windows DLLs and functions are being called. Processes like rundll32 and crypt32 are used by tons of legitimate programs, and trying to find the malware by looking at those is doing it backwards. You should begin by taking a look at Autoruns (part of the Sysinternals Suite) to locate the binaries launching after a reboot. Find the PE first. – Angelo Schilling Jul 09 '18 at 23:42
  • Here's a simple walkthrough analysis of Cridex I did about a year back(only uploaded a bunch of my internal work stuff to public GH recently): https://eavalenzuela.github.io/2018/04/26/MalwareAnalysisCridex.html – Angelo Schilling Jul 09 '18 at 23:46
  • 1
    Don't try to play wack a mole. [Nuke it from orbit](https://security.stackexchange.com/q/138606/12) instead. – Xander Jul 10 '18 at 00:11
  • @AngeloSchilling thanks for the link I'll go ahead and read that :) – William Guerra Jul 10 '18 at 00:20
  • @AngeloSchilling I think I understand what you are saying. In other words, I need to locate the potential offender first and then pry it open to see what's going on inside. that makes sense, you are right I was trying to do it backwards. As for my initial question, I am looking for a more in depth description of the Dll's function then what is provided within process explorer. Or, a list of Dlls that are used by windows internal programs. – William Guerra Jul 10 '18 at 00:47
  • @WilliamGuerra unfortunately there are quite literally multi-volume series on Windows internal processes and the DLLs they use. Nirsoft publishes an autogenerated index of all base OS DLLs, along with the list of dependencies and other info, but it doesn't discuss what each DLL is for: http://windows10dll.nirsoft.net/ – Angelo Schilling Jul 10 '18 at 20:09
  • But yeah, unless you're doing this for fun, I'd just reinstall the OS. – Angelo Schilling Jul 10 '18 at 20:10
  • 1
    @AngeloSchilling, Yes, thank you. this is exactly what I was looking for. I am doing this as an educational experience, as I am trying to learn malware analysis. – William Guerra Jul 10 '18 at 21:02

1 Answers1

1

If you are positive the box is infected by malware (but do not necessarily know which one), first thing I would do is image the HDD using a tool like clonezilla. If he has not rebooted since he first observed the malicious behavior, you could also try to take a memory snapshot you could later analyze with volatility.

After that I'd reinstall the machine and do offline analysis of the image at home.

John Nemo
  • 68
  • 7